[9.186-1] [QUESTION] IPv6 input drop feature?

Hi,

I'm trying to create an drop rule for this but I am unable to get it to enter the input chain in iptables. It only triggers the forward rule.

If I enter destination interface as destination it will not work. Not if i enter the ff02 also. If I enter the port number it will not work as well.

Is this a bug or simply a thing not thought of? [;)]

This is the traffic I want to nail... Just drop no log.
For the moment the default drop rule in the input chain does the trick... but it is flooding my logs. [:(]

2013:12:12-17:25:38 bifrost ulogd[4521]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0.10" srcmac="0:c:42:20:62:b4" dstmac="6c:62:6d:ab:cd[:D]d" proto="17" length="174" srcip="fe80::20c:42ff:fe20:62b4" dstip="ff02::1" hlim="1" srcport="5678" dstport="5678"

Thanks in advance

Best Regards,
Frank W

0 dontpanic over 11 years ago

Hi Frank,

The problem is that you get packets on your interface with the destination IP dstip="ff02::1". So it's dropped in your INPUT chain in iptables.
There is just one way in Webadmin to create INPUT (or OUTPUT) rules. Therefore you need an interface address as destination (or source). You can't create a network object with a multicast address like 'ff02::1' which is written in the INPUT chain. Thats why your drop-only rules in Webadmin didn't match the multicast packets.

However, I agree that this 'noisy' behaviour isn't good. We opened a mantis id for this issue to drop IPv6 multicast packets without logging.

Thanks for reporting it. [:)]

cheers,
Daniel

Windows has detected you do not have a keyboard. Press 'F9" to continue.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

Thanks for reporting. We are now tracking this as Mantis ID #29960
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #29960 is now being worked on. We are planning to release a fix for this issue in Version 9.190.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 TKITFrank over 11 years ago in reply to Astaro Beta Bot

Hi Daniel,

Sounds excellent.

Are there any plans to implement an more simple approach to create INPUT/OUTPUT rules?
Like to identify on VLAN ID/Interface? Or a checkbox like the "logging option" where you can specify if it should be in the custom INPUT/OUTPUT chain?

This would make it (Firewall) more versatile and it would not interfere with the normal operations (Services and so on). Since they are "system" rules in there own custom chain and the customers own rules are last in the chain.

Thanks again for your answer, Looking forward to 9.190 [:)]

Best Regards,
Frank W
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

We are planning to release a fix for this issue in Version 9.191.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

We are planning to release a fix for this issue in Version 9.192.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

We are planning to release a fix for this issue in Version 9.193.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #29960 is now fixed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #29960 is now closed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel